CVE-2026-2085
7.2 HIGHPublished 2026-02-07 · Modified 2026-02-09 · Awaiting Analysis
Quick Summary
A command injection vulnerability in the USSD configuration page of certain D-Link routers allows attackers to run arbitrary commands on the device. This is a serious flaw because it can be exploited remotely over the network.
Who is affected
Users of the D-Link DWR-M921 router running firmware version 1.1.50 are affected. An attacker could take full control of the device, steal data, or use it to launch further attacks.
Recommended fix
Immediately update the router's firmware to a version newer than 1.1.50 if available from D-Link. If no patch exists, disable remote administration and restrict access to the router's web interface to trusted networks only.
Technical Description
A security vulnerability has been detected in D-Link DWR-M921 1.1.50. Affected is the function sub_419F20 of the file /boafrm/formUSSDSetup of the component USSD Configuration Endpoint. The manipulation of the argument ussdValue leads to command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-77, CWE-74